42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From 38622da97fb6fcb2d43d5676ac75cb5ac7896359 Mon Sep 17 00:00:00 2001
|
|
From: lutianxiong <lutianxiong@huawei.com>
|
|
Date: Tue, 16 Jun 2020 11:15:10 +0800
|
|
Subject: [PATCH] Fix int64 overflow check
|
|
|
|
Overflow check "(value >> 32) * 10 < INT32_MAX" may not work in
|
|
certain conditions, e.g. value is 0xcccccccdbcdc9cc
|
|
|
|
Note: This fixes oss-fuzz bug 16117.
|
|
---
|
|
libclamav/htmlnorm.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libclamav/htmlnorm.c b/libclamav/htmlnorm.c
|
|
index d0be15b..4ac4948 100644
|
|
--- a/libclamav/htmlnorm.c
|
|
+++ b/libclamav/htmlnorm.c
|
|
@@ -1459,9 +1459,9 @@ static int cli_html_normalise(int fd, m_area_t *m_area, const char *dirname, tag
|
|
next_state = HTML_BAD_STATE;
|
|
ptr++;
|
|
} else if (isdigit(*ptr) || (hex && isxdigit(*ptr))) {
|
|
- if (hex && (value >> 32) * 16 < INT32_MAX) {
|
|
+ if (hex && value < INT64_MAX / 16) {
|
|
value *= 16;
|
|
- } else if ((value >> 32) * 10 < INT32_MAX) {
|
|
+ } else if (value < INT64_MAX / 10) {
|
|
value *= 10;
|
|
} else {
|
|
html_output_c(file_buff_o2, value);
|
|
@@ -1727,7 +1727,7 @@ static int cli_html_normalise(int fd, m_area_t *m_area, const char *dirname, tag
|
|
state = HTML_RFC2397_DATA;
|
|
break;
|
|
case HTML_ESCAPE_CHAR:
|
|
- if ((value >> 32) * 16 < INT32_MAX) {
|
|
+ if (value < INT64_MAX / 16) {
|
|
value *= 16;
|
|
} else {
|
|
state = next_state;
|
|
--
|
|
2.23.0
|
|
|